Microsoft Exchange Server vulnerabilities updates on previously known zero-day remote code execution vulnerabilities identified as CVE-2022-41040 and CVE2022-41082.
• Two zero-day vulnerabilities CVE-2022-41040, CVE-2022-41082 in Microsoft's on premises Exchange Servers (2013, 2016, and 2019) have been known since late September 2022.
• CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability (CVSS 8.8), and CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker (CVSS 8.8). CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082.
• Microsoft Security Response team updated its Customer Guidance for these reported zero-day vulnerabilities in Microsoft Exchange Server as Microsoft’s initial mitigations were found to be insufficient.
• The vulnerabilities together are known as ProxyNotShell and are already being exploited in the wild.
• This advisory updates the guidance given in Sequretek advisory SQTK/ADV/0072